rsync cron job via ssh without authentication (read-only filesystem issue)

Status
Not open for further replies.
Joined
Nov 2, 2011
Messages
4
Hey,

Love zfs, but just need to make sure that I have an external offsite rotating backup.

I am running FreeNAS-8.0.2-RELEASE-amd64 (8288) on a Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz with 4047MB Ram.

I am trying to create a simple rsync cron job to back up to another computer on the network. However I am having an issue making the .ssh directory needed to keep the encryption keys.

My rsync command looks like:
rsync -avz /mnt/drive250/sshare user@192.168.0.71:/Volumes/backup/

It works well, except that I need to always say [yes] authenticate the server and put in my password. Obviously for a cron job at 10pm this is not going to work very well.

So what can I do to allow the SSH key to be stored on the read-only file system of the freenas and should I add anything to my rsync cron job?

And yes, I am a noob.

Thanks.
 

Durkatlon

Patron
Joined
Aug 19, 2011
Messages
414
You are running this as root, right? Just run "mount -uw /" and then run the job once. That should allow the .ssh stuff to get created in the right place.
 
Joined
Nov 2, 2011
Messages
4
Thanks for the reply.

I am running as root and have made a little progress since.

All the .ssh stuff is created, as far as I can tell. What I am running into issues with is the public and private keys, i think.

So, I have freenas and I am rsyncing via ssh to a mac. So technically this might be an mac issue. Here is what I have done so far:

Used "mount -uw /" to write to the file system on freenas

Created a key set on the mac
"ssh-keygen -t dsa"

then sent the public to the freenas
"scp ~/.ssh/id_dsa.pub root@192.168.0.200:/root/.ssh/authorized_keys"


but when I try to log into the mac via freenas it still asks for a password, either the mac is not using the public key or the freenas is not sending the public key. I think it might have something to do with "ssh-add" and/or "ssh-agent" within BSD.

Thanks for your help.
 

Durkatlon

Patron
Joined
Aug 19, 2011
Messages
414
Oh sorry, I was thinking it was a "known_hosts" file problem. Yes the key setup is a complete pain. This was one of the main reasons I went with rsync instead of snapshot replication. Hopefully someone has some pointers for you, I deliberately decided to stay away from this area.
 
Joined
Nov 2, 2011
Messages
4
Well I have made a little progress in possibly eliminating the mac side of the equation.

According to this ssh key tutorial, I am doing the key making and transferring the keys correctly. Seems to be an issue with BSD not using the keys when it authenticates to the mac.

Is there a verification daemon that I am missing? Am i placing the keys in the correct directory (/root/.ssh/authorized_keys and /root/.ssh/authorized_keys2).

Also probably related. The nameserver seems to not be working. I am running off of a gateway at 192.168.0.1 which I have put as the nameserver but it is not pinging any of the netbios names in my network. This might be related because the key says the netbios name not the ip address, which I have to use to login to the mac or BSD will not be able to find the address.

Perplexing indeed.
 

Milhouse

Guru
Joined
Jun 1, 2011
Messages
564
1) Check the permissions on the /root/.ssh directory (should be 700)
2) Check the permissions on the authorized_keys and known_hosts files, both should be 644
3) If still not working, on the Mac enable verbose logging/debug with "ssh -vvv root@192.168.0.200" and analyse the output, posting here if necessary
 

louisk

Patron
Joined
Aug 10, 2011
Messages
441
you probably need to do something like "rsync -options -e 'ssh -o HostbasedAuthentication=no -i /path/to/pub/key' /src/path user@host:/destination/path/"
Then, if you have made sure all your permissions (both on src and dst machines) are correct, and they key has been copied over and installed for the correct user (the one you're connecting to with rsync), things should work fine. I setup a couple systems like this to use a remote machine as an intermediary. Worked like a charm.

(I'm going from memory here, I may not have gotten the ssh option correct).
 
Joined
Nov 2, 2011
Messages
4
Thanks everyone for your help. With the little pieces you all gave I think that I was able to piece it together.

I think that I got it working (still need to test as a cron job).

Here is what I did:

#Remember that this is for a cron job on a freenas to backup to a Mac (10.7) on a local network, although it will probably be about the same for any other unix variant running ssh/rsync.

YOU'LL HAVE TO DO THIS AFTER EVERY UPDATE, UPDATING WILL DESTROY THE KEYS

On Freenas 8.0.2, first make the file system writable

Code:
mount -uw /


Then add the ssh keygen on the freenas (rsa/dsa, I don't know the difference so hopefully it does not matter)

Code:
ssh-keygen -t rsa


Click enter 3x to make null passwords and accept the generic location of the newly created id_rsa.pub and id_rsa keys (public and private) which will be in ~/.ssh/

The lock down the permissions on the Public key

Code:
chmod 700 ~/.ssh/id_rsa.pub


Then transfer the PUBLIC KEY (the .pub file) to the Mac (or linux) using

Code:
scp ~/.ssh/id_rsa.pub user@192.168.0.200:~/.ssh/

Make sure to sub in your own username and IP address

And make the freenas filesystem read-only again with
Code:
mount -ur /


PHYSICALLY MOVE OVER TO THE MAC (or ssh into it)
Code:
ssh user@192.168.0.200

sub in your own username and IP address

Copy the contents of id_rsa.pub into a new file at ~/.ssh/authorized_keys

Code:
cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys


Then lock down the permissions on the authorized_keys file

Code:
chmod 700 ~/.ssh/authorized_keys


BACK TO THE FREENAS (or $ exit in ssh)

This is the rsync command that works for me that does not ask for a password
Code:
rsync -az /mnt/your/share/location user@192.168.0.71:/your/backup/directory/


Info for doing the keys came from Jayakara Kini's Weblog

The rsync options that I chose are -a (archive for keeping times, owners, permissions, and recursive into directories) and -z (for compressions over the network). I am looking at the --delete command but am hesitant. If some user deletes everything in the share then leaves overnight when the backup is scheduled, then comes back the following morning and kicks the freenas in the face, I might loose data as the rsync backup would have deleted all the files on the backup to bring them up to sync with the now empty share directory. Paranoid indeed.

I guess what I want to do is keep files on the backup and perge them after a certain time (like 2 weeks). So some combination of the --backup command and the --delete command is what I want.

Any thoughts on such an rsync command?
 

louisk

Patron
Joined
Aug 10, 2011
Messages
441
Apologies for not thinking about this sooner. You will get much higher performance on your copy if you use the rsync protocol as opposed to ssh (crypto overhead). If you are syncing over an untrusted network, I would not suggest going unencrypted, but if it's just locally, I would just setup the rsync module in FreeNAS and skip the overhead of SSH.

I typically use -aPS, or -azWm.
 

uutzinger

Dabbler
Joined
Nov 27, 2011
Messages
43
I use in GUI for rsync tasks under extra options: --rsh="ssh -2".
That seems to work if keys are in ~/.ssh and the public keys in the targets key_store.

Since I set users home to be on a storage disk (/mnt/mystorage/myuserhome) the keys should survive reboot.
 

louisk

Patron
Joined
Aug 10, 2011
Messages
441
You can tell ssh to use a key in a specified location, and you can tell rsync to use an external command for ssh, and just pass ssh and the necessary options.
 
Status
Not open for further replies.
Top